misc/139387: Wrong lenth of PF_KEY messages in promiscuous mode
Rainer Bredehorn
Bredehorn at gmx.de
Wed Oct 7 08:30:02 UTC 2009
>Number: 139387
>Category: misc
>Synopsis: Wrong lenth of PF_KEY messages in promiscuous mode
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 07 08:30:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Rainer Bredehorn
>Release: FreeBSD 7.1
>Organization:
>Environment:
FreeBSD 7.1-RELEASE
>Description:
File: netipsec/keysock.c
Function: key_sendup0()
--------------
if (promisc) {
struct sadb_msg *pmsg;
M_PREPEND(m, sizeof(struct sadb_msg), M_DONTWAIT);
if (m && m->m_len < sizeof(struct sadb_msg))
m = m_pullup(m, sizeof(struct sadb_msg));
if (!m) {
pfkeystat.in_nomem++;
m_freem(m);
return ENOBUFS;
}
--------> m->m_pkthdr.len += sizeof(*pmsg);
pmsg = mtod(m, struct sadb_msg *);
bzero(pmsg, sizeof(*pmsg));
pmsg->sadb_msg_version = PF_KEY_V2;
pmsg->sadb_msg_type = SADB_X_PROMISC;
pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
/* pid and seq? */
pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
}
-----------------
This "m->m_pkthdr.len += sizeof(*pmsg);" is not necessary, so sadb_msg_len is always 16 bytes to large.
M_PREPEND already adjusts the length of the mbuf to the correct size.
Best regards, Rainer
>How-To-Repeat:
Switch the kernel PF_KEY to promiscuous mode.
Receive promiscuous mode messages.
>Fix:
Remove the adjustment of the m_buf length ( m->m_pkthdr.len += sizeof(*pmsg); )
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list